Analecta Cyber Company Blog: Stay Ahead of Risk: Making a Better Risk Assessment


Stay Ahead of Risk: Making a Better Risk Assessment

keeping balance between risk assessment and business impact analysis - Analecta Cyber Graphic Stay ahead of risk: Making a better risk assessment - Analecta Cyber graphic banner
The risk assessment process is more meaningful and effective when you understand the potential business impacts of a cybersecurity event and the likelihood of these events occurring. It is not possible to predict all potential cybersecurity attacks or vulnerabilities. However, if you identify the events that can have an impact on your company and prioritize your security efforts based on the likelihood of those events happening, your business will have a stronger cybersecurity posture.

Risk assessment vs. business impact analysis

A comprehensive risk assessment may have all of the components of a good business impact analysis incorporated into the assessment, but that is not always the case. In its most basic form, the risk assessment identifies potential risks to your systems and networks. A slightly more advanced version will also include the likelihood of these risks coming to fruition.

Business impact analysis, on the other hand, focuses on predicting the consequences of disruption of one or more business function and process. It also includes gathering information needed to develop recovery strategies. Business impact analysis encompasses more than cybersecurity and considers disruptions to business functions due to a variety of causes, including power outages, damage to infrastructure and absenteeism of essential employees.  

NIST guidance suggests that businesses should conduct a thorough assessment of risk, including the likelihood and magnitude of harm, from unauthorized “access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits” - in other words, you must understand the business impact from such an attack.

keeping balance between risk assessment and business impact analysis - Analecta Cyber Graphic
Keeping balance: Deciding between Business Risk Assessment and Business Impact Analysis.

Putting it together: Your risk assessment

So where do you start? If your organization already has a recent, completed risk assessment, review the documentation. Check to see that potential threat information is current and reevaluate any previous business impact analysis. If the impact analysis is incomplete or hasn’t been started, use the threat information in your risk analysis and assess the business impact and likelihood of those risks from occurring. If it is unlikely to have significant impact or if it is very unlikely for that threat to occur, remove it from your risk assessment in favor of something more impactful or likely.

If your organization never formally created a comprehensive risk assessment, you will need to begin the process from scratch. This may be a considerable investment of time, and you may wish to contract out to a third party.  

Once you have a risk assessment that incorporates business impact analysis, there are a few more things to do. Be sure to document and disseminate your risk assessment. This may be in the form of a risk assessment report or a security plan. Dissemination helps keep stakeholders informed of risks that apply to their divisions. Finally, update the risk assessment at regular intervals or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities). Business functions change over time. Be sure to keep your risk assessment updated with your current business activities and objectives.

man in sunglasses - for Analecta Cyber's article on Risk Assessment for your business
Risky business is so ‘80s. Be prepared by having a risk assessment for your business.

Let’s get started

Analecta can help you stay aware of potential risks to your business and reduce the impact of potential threats. Using a holistic approach and industry-standards, our Analecta 96-point Cyber Risk Assessment enables small and medium-sized businesses to minimize or even eliminate the risk of data breaches that can cause customer loss, reputational damage and severe bottom-line impact. Our assessment identifies the most important next steps in your firm’s cyber security program to maximize protection. Contact us at or visit our Cybersecurity website.

For more information, check out these resources:  

Analecta Cyber is a Maryland-based cybersecurity firm providing cyber risk assessments for small and medium sized businesses. Analecta is a trusted partner to help companies achieve their cybersecurity objectives.

No comments :

Post a Comment